feat(workflow): integrate with workflow identity pool (#4945)

* feat(workflows): add wif workflow
* feat(workflows): add name of compute instance
* feat(workflows): fix permissions
* feat(workflows):  add an OR true since github runs with -e
* ci(testing-deployment): include GITHUB envs
* ci(testing-deployment): move GCP information to secrets
* ci(staging-deployment): wif workflow

---------

Co-authored-by: Prashant Shahi <prashant@signoz.io>

.github/workflows/staging-deployment.yaml

@@ -9,19 +9,29 @@ jobs:
     name: Deploy latest develop branch to staging
     runs-on: ubuntu-latest
     environment: staging
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     steps:
-      - name: Executing remote ssh commands using ssh key
+      - id: 'auth'
-        uses: appleboy/ssh-action@v1.0.3
+        uses: 'google-github-actions/auth@v2'
-        env:
-          GITHUB_BRANCH: develop
-          GITHUB_SHA: ${{ github.sha }}
         with:
-          host: ${{ secrets.HOST_DNS }}
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
-          username: ${{ secrets.USERNAME }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
-          key: ${{ secrets.SSH_KEY }}
+
-          envs: GITHUB_BRANCH,GITHUB_SHA
+      - name: 'sdk'
-          command_timeout: 60m
+        uses: 'google-github-actions/setup-gcloud@v2'
-          script: |
+
+      - name: 'ssh'
+        shell: bash
+        env:
+          GITHUB_BRANCH: ${{ github.head_ref || github.ref_name }}
+          GITHUB_SHA: ${{ github.sha }}
+          GCP_PROJECT: ${{ secrets.GCP_PROJECT }}
+          GCP_ZONE: ${{ secrets.GCP_ZONE }}
+          GCP_INSTANCE: ${{ secrets.GCP_INSTANCE }}
+        run: |
+          read -r -d '' COMMAND <<EOF || true
           echo "GITHUB_BRANCH: ${GITHUB_BRANCH}"
           echo "GITHUB_SHA: ${GITHUB_SHA}"
           export DOCKER_TAG="${GITHUB_SHA:0:7}" # needed for child process to access it
@@ -40,3 +50,5 @@ jobs:
           make build-ee-query-service-amd64
           make build-frontend-amd64
           make run-signoz
+          EOF
+          gcloud compute ssh ${GCP_INSTANCE} --zone ${GCP_ZONE} --tunnel-through-iap --project ${GCP_PROJECT} --command "${COMMAND}"

.github/workflows/testing-deployment.yaml

@@ -9,19 +9,29 @@ jobs:
     runs-on: ubuntu-latest
     environment: testing
     if: ${{ github.event.label.name == 'testing-deploy' }}
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     steps:
-      - name: Executing remote ssh commands using ssh key
+      - id: 'auth'
-        uses: appleboy/ssh-action@v1.0.3
+        uses: 'google-github-actions/auth@v2'
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - name: 'sdk'
+        uses: 'google-github-actions/setup-gcloud@v2'
+
+      - name: 'ssh'
+        shell: bash
         env:
           GITHUB_BRANCH: ${{ github.head_ref || github.ref_name }}
           GITHUB_SHA: ${{ github.sha }}
-        with:
+          GCP_PROJECT: ${{ secrets.GCP_PROJECT }}
-          host: ${{ secrets.HOST_DNS }}
+          GCP_ZONE: ${{ secrets.GCP_ZONE }}
-          username: ${{ secrets.USERNAME }}
+          GCP_INSTANCE: ${{ secrets.GCP_INSTANCE }}
-          key: ${{ secrets.SSH_KEY }}
+        run: |
-          envs: GITHUB_BRANCH,GITHUB_SHA
+          read -r -d '' COMMAND <<EOF || true
-          command_timeout: 60m
-          script: |
           echo "GITHUB_BRANCH: ${GITHUB_BRANCH}"
           echo "GITHUB_SHA: ${GITHUB_SHA}"
           export DOCKER_TAG="${GITHUB_SHA:0:7}" # needed for child process to access it
@@ -41,3 +51,5 @@ jobs:
           make build-ee-query-service-amd64
           make build-frontend-amd64
           make run-signoz
+          EOF
+          gcloud compute ssh ${GCP_INSTANCE} --zone ${GCP_ZONE} --tunnel-through-iap --project ${GCP_PROJECT} --command "${COMMAND}"